Risk management means different things for different organisations. A risk manager of a manufacturing company may for instance focus on risks related to the supply chain, the manufacturing process and distribution. An insurer will assess the risk of the object to be insured and the insured party’s risk profile. And what about a claims handling organisation?
A claims handling organisation deals with risk and compliance
within its own organisation
in relation to claims processes of its customers (insurers, brokers, captives)
and their policyholders (ranging from individuals to large corporates)
Suffice to say that a customer, when contemplating the outsourcing of claims processes, can no longer afford to make decisions based on price alone. When outsourcing claims processes, the customer shifts so much responsibility, that the professionalism of the claims handler’s Risk & Compliance function is essential in the decision making process. New privacy and compliance legislation results in the function becoming increasingly important.
A customer wishing to outsource claims processes, should ask the following three – closely related – questions as part of the decision making process:
Are regulations and legislation actively implemented?
Well before the effective date of new legislation, the claims handling organisation must prepare for implementation. Van Ameyde e.g. started as early as 2016 with the implementation of GDPR. Other relevant legislation includes the Anti Money Laundering Directive, which requires substantial adaptations to the financial systems.
Is the claims handling organisation in control of its processes?
Process control is closely related to the company’s IT systems. How do you assess whether the service provider is in control of its processes? As a principal you must, after all, be able to demonstrate that your service provider is indeed in control. This is easy to demonstrate if the service provider has ISAE 3402 type 2 reporting. ISAE 3402 is the international outsourcing standard. The risk management framework is part of the reporting. Type 2 reporting does not only demonstrate the existence of control measures (= type 1 reporting) but also the effectiveness of those measures.
How does the claims handling organisation secure data?
Not in the least because of GDPR, claims handling requires the highest possible level of security of IT systems. Although ISO certification is not compulsory within the scope of GDPR, ISO 27001:2013 is the relevant certification for information security management systems. With this certification you, as a customer, may rest assured that your service providers are at the top of their game when it comes to cyber security, above and beyond privacy protection.
Risk & compliance in claims handling: one step ahead
A claims handling organisation that means business in terms of Risk & Compliance, has a considerable lead on its customers:
- benefit of scale: a claims handling organisation dealing with hundreds of thousands of claims annually can afford to invest in claims process related Risk & Compliance
- core business: whereas a customer would be faced with investments in a cost driver, the claims handling organisation invests in its core business
- broad expertise from many angles: a customer can only reference against its own business, whereas a claims handling organisation learns from hundreds of clients and infinite different situations
Risk & compliance does not only contribute to security and process improvements: the function has an important role in the area of organisation improvement. Feedback from our claims handlers helps us improve processes, which in turn helps claims handlers do their work more efficiently. The Risk & Compliance function is multi-disciplinary: from legal to operations and from IT to LEAN.
When it comes to professional Risk & Compliance, Van Ameyde is way ahead of the claims management market. In 2008 we were the first in the market to obtain SAS70 reporting: the precursor of ISAE 3402 reporting (which we have had ever since). With its in-house IT organisation (Zero)70, Van Ameyde was also the first to become ISO 27001:2013 certified for its information security management system. In 2016 this certification was one of the first steps in the GDPR compliance project. Suffice to say that securing our systems goes beyond GPDR requirements as we consider securing our customers against cyber risks a vital part of our service offering.
Questions about Risk & Compliance in claims handling?
I will gladly answer any questions you may have. Please do not hesitate to contact me!
As a principal you must, after all, be able to demonstrate that your service provider is indeed in control.